Ransom(ware) Notes: Insight into a Growing Cybersecurity Threat
Since the worldwide WannaCry attack in May, the cybersecurity threat of ransomware has only continued to grow. In August, a new strain of the Locky ransomware surfaced, spreading to unsuspecting users through at least 23 million infected emails in a massive malware campaign. Unfortunately, this trend will most likely continue.
We turned to senior analyst Lee Tibbals of Sword & Shield’s Security Operations Center to provide a view from the information security trenches on combating Locky and other ransomware threats facing organizations.
Here are Lee’s insights into ransomware, a growing cybersecurity threat.
Locky was one of the worst ransomware attacks that we have seen in our Security Operations Center. The attack was launched via a mass email campaign that contained a malicious attachment.
We saw it surface in a client’s network shortly after the malicious document had been opened by someone in their organization. Minutes afterward, we began seeing traffic from the ransomware’s Command and Control (C&C) on the network. We identified it as related to the Locky ransomware and notified the client.
We were initially unable to tell who on the network had opened the malicious document, so our team worked with the client to isolate and pull the infected host from the network; however, it soon became clear that the incident involved multiple hosts. Within 10 minutes of the initial indication of a Locky infection, 32 servers in the client’s network had been compromised. We advised the client to block the C&C domains at their firewall and trace the DNS requests back to the infected hosts.
Defense in depth
Once the infection had been dealt with, we worked with the client to implement a layered security approach. This included training users how to spot malicious emails, blocking email attachments, updating and patching operating systems, and strengthening their overall security posture. Using a defense in depth security model can prevent a small incident from becoming a major breach. After implementing a defense in depth plan, the client has avoided further disasters, such as the Locky outbreak.
WannaCry and Petya/NotPetya
On May 12, the world experienced the largest ransomware attack in internet history to date as WannaCry infected more than 200,000 computers in 150 different countries.
As we monitor multiple clients around the world, we see many attack scenarios as they unfold. Security analysts generally share information on attacks that they have found, and we were able to get this information about WannaCry and NotPetya in the beginning stages before hit the U.S. This allowed us to reach out to our clients in the early stages of the attacks to inform them of what was going on and secure their networks.
The most dangerous aspect of WannaCry and Petya versions of ransomware was the method used to spread the ransomware throughout multiple networks. The exploit leveraged was Eternal Blue, which uses the SMB protocol. Microsoft had issued a patch for this exploit at the time WannaCry was released. Many companies had been unable to patch, or didn’t take patching this vulnerability seriously at the time it was released.
Security Operations Center
Our managed security analysts administer and maintain security measures focused on application, web and infrastructure security for our clients. The analysts provide security analytics and assistance with security support requests. For more information submit a consultation request.
Lee Tibbals is the senior analyst in the managed security operation center at Sword & Shield Enterprise Security. His primary roles in the security operation center are to help clients monitor their internal network for malware, exploits, and vulnerabilities, as well as provide insight and guidance into best practices for network configuration and remediation. He is also the lead threat intelligence analyst and often consults with clients for analysis on links, email, and files the client finds to be suspicious.
Lee has four years of experience in the security field with three concentrated in monitoring client networks.